Cyber risk in the business

The take-away that is relevant :

Cyber risk should not be managed separately from enterprise or business risk. Cyber may be only one of several sources of risk to a new initiative, and the total risk to that initiative needs to be understood.

Cyber-related risk should be assessed and evaluated based on its effect on the business, not based on some calculated value for the information asset.

A few other things in there too, but those are the leading ones that I think the techie geeks that are attracted to InfoSec need to learn is expressed well in those two phrases. Its not about the technology, its about the business. Its why I hate the term “Cyber-“. Information Security risks existed in the days of typewriters, carbon copies and filing cabinets. Security risks existed in the days of hand written messages and horse-back couriers.

Why do I say this?

Back in my banking days one officer at the bank said

The bank *IS* the computer

I saw his point but ultimately the bank is its dealings with people.
If people loose confidence in the bank, it will fail.
It has happened in the past; it can happen again, and all the
“Cyber-security” in the world won’t help.

About the author

Security Evangelist

Leave a Reply